Automating Hardware in Windows 7
For all of us desktop administrators out there, automation is the key to our success. Using Group Policy, we can automate the deployment of software, settings, printers, drive mappings and pretty much anything else for our users and computers. Hardware, especially roaming hardware, has always been a thorn in our sides.
Anytime users get new printers or scanners, we have to install and test drivers. Most of these drivers come with bloatware and applications that simply are not needed. With the release of Windows Vista and Windows 7, Microsoft made huge strides in giving us the ability to automate driver deployment, driver updates, and hardware management. We can use these methods to automate hardware which makes our users happier and our jobs easier.
In the next four tasks, we will walk through setting a central storage area for drivers, populating that store, getting our clients to use that store, and allowing limited users to load specific drivers. As a real-world example, we will go through the driver installation, extraction, and deployment of a desktop scanner.
Task 1: Setting up the Driver Store
Most IT departments have shares or drives where we keep our software, virtual machines, or downloaded drivers. Some of us probably even have network shares where software is kept for deployment. We even can have a central store for ADMX files in Group Policy but what about drivers? Well, it is time to create our Central Store for Drivers.
First, set up a network share. All computers and users should able to read/execute drivers from this share so “Everyone” or “Authenticated Users” should have the Read permission on the share and Read/Execute on the folder. No other permissions should be required. For this article, the share name is CentralDrivers.
Underneath the CentralDrivers folder you will find sub-folders for common hardware types. The type of hardware dictates how specific you should get.
For example, under the folder PC Hardware, sub-folders have been created for Audio devices, system boards, and Video Cards. Set up your share in the way that makes the most logical sense for your organization.
Task 2: Getting Our Drivers in the Central Driver Store
In Windows XP and below, extracting drivers was a nightmare to do by hand. Drivers could be stored in Program File, Application Data, Windows INF, System32, Temp folders … basically anywhere the driver manufacture wanted to put them.
Windows Vista changed all of this. All drivers, when installed, are loaded into the local DriverStore. The entire packages of any drivers that are installed can be found at C:\Windows\System32\DriverStore\FileRepository\. This makes populating our driver store pretty quick and easy!
As an example, you want to automate a desktop scanner install for your users. To automate the scanner install, we must first put this scanner driver in the Central Driver Store. After installing the scanner driver on a test machine, open up the locate driver store (C:\Windows\System32\DriverStore\FileRepository).
Drivers are not named in the friendliest fashion (as seen in the picture) but sorting by “Date modified” will show you the newest installed drivers. Simply drag the entire contents of that driver folder (ex: 1394.inf_x86…) over to a folder in your network share.
As shown above, I have created a sub folder under scanners and renamed the folder to a user friendly name. This folder contains all of the files needed to install the device.
Task 3: Getting our clients to see the Central Driver Store
We have created a Central Driver Store. Our Central Driver Store now has at least one driver package in it. But as a co-worker of mine always says, “how does it know?” More specifically, how do your clients know where to find these drivers?
Well, here comes the easy part – getting our clients to actually use the Central Driver Store. To do so, deploy this one registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\DevicePath
Value: %SystemRoot%\Inf;\\SERVERNAME\SHARE
EX: %SystemRoot%\Inf;\\DRIVERSERVER\Drivers
Task 4: Allowing Standard Users to Install Central Driver Store drivers
To completely automate driver installation, ordinary limited users should never be prompted for elevated credientials when installing managed hardware (such as when plugging in our scanner for the above task). To do this, the following three criterea must be met:
- The driver must be in a central driver store.
- The driver setup class must be allowed
- The driver publisher must be trusted
We have already tackled item 1 so that shouldn’t be a problem anymore. To meet item 2, we must first find out our driver setup class. Do to this, go to the location of the driver in the central driver store. Right click on any .INF files for this driver and click OPEN. At the top of the file, you will see a line named ClassGUID. It should look something like the GUID below. Copy everything to the right of the equals sign (including the brackets).
ClassGuid={08A1BFE9-96AF-4448-82D5-C93E3BF6A364}
In a GPO linked to the computers needing the driver, navigate to Computer Config\Admin Templates\System\Driver Installation. Enable “Allow non-administrators to install drivers for these device setup classes.” Now paste the GUID that you copied from the .INF.
The last thing that we have to do is to make sure that whoever signed the driver is a trusted publisher on our machines. You will only need to do this if you are presented with a Windows Security popup like the one below when installing the driver manually for extraction.
If you are presented with this popup, select “Always trust software from …” and press install. After installation, run certmgr.msc. Navigate to “Trusted Published” and then select “Certificates”. Right click on the certificate and click export. This certificate will need to be distributed to all of your computers that will install this hardware. This can easily be done by opening a GPO, going to Computer Config\Windows Settings\Security Settings\Public Key Polices and importing the certificate under the Trusted Publishers Certificates. After importing, you should see the certificate listed (as seen below).
There you have it. You now have the framework to completely automate all of your hardware installations across your entire organization. Gone are the days of having to individually install drivers, enter in Administrator Credentials for your users (or worse: making users admins so that they can install hardware).
Good luck in your hardware automation!
Author’s Bio: Joseph Moody is an IT professional and freelance writer, and lead author on Windows8library.com
